b'TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION\n\n\n\n\n                   Efforts Have Been Made, but Manager and\n                    Employee Noncompliance With Security\n                    Policies and Procedures Puts Personally\n                         Identifiable Information at Risk\n\n\n\n                                         August 13, 2007\n\n                              Reference Number: 2007-20-117\n\n\n\n\n This report has cleared the Treasury Inspector General for Tax Administration disclosure review process\n  and information determined to be restricted from public release has been redacted from this document.\n\n\n\n Phone Number | 202-927-7037\n Email Address | Bonnie.Heald@tigta.treas.gov\n Web Site      | http://www.tigta.gov\n\x0c                                                  DEPARTMENT OF THE TREASURY\n                                                          WASHINGTON, D.C. 20220\n\n\n\n\nTREASURY INSPECTOR GENERAL\n  FOR TAX ADMINISTRATION\n\n\n\n\n                                                  August 13, 2007\n\n\n MEMORANDUM FOR CHIEF INFORMATION OFFICER\n\n FROM:                          Michael R. Phillips\n                                Deputy Inspector General for Audit\n\n SUBJECT:                       Final Audit Report \xe2\x80\x93 Efforts Have Been Made, but Manager and\n                                Employee Noncompliance With Security Policies and Procedures Puts\n                                Personally Identifiable Information at Risk (Audit # 200620007)\n\n This report presents a summary of significant actions that have been accomplished by the\n Internal Revenue Service (IRS) and the security weaknesses identified in our prior audit reports\n issued during Fiscal Years 2003 \xe2\x80\x93 2007. The overall objective of this review was to determine\n the progress the IRS has made in ensuring the security and privacy of personally identifiable\n information (PII) it maintains. The Consolidated Appropriations Act of 20051 requires each\n agency\xe2\x80\x99s Inspector General to review the policies and procedures related to PII and conduct\n reviews at least every 2 years to ensure it is adequately protected.\n\n Impact on the Taxpayer\n The IRS processes and maintains PII for more than 130 million taxpayers who file their income\n tax returns with the IRS. While the IRS has accomplished several noteworthy actions to protect\n this information, managers and employees have not complied with established security\n procedures. As a result, PII is being unnecessarily exposed to unauthorized access and potential\n identity theft.\n\n Synopsis\n The American public and Congress have become increasingly concerned about the protection of\n PII and identity theft. This issue is a significant challenge for the IRS, considering nearly\n 100,000 employees and contractors have access to tax return information processed on\n\n 1\n     Public Law 108-447, 118 Stat. 2268, 5 U.S.C. 522a.\n\x0c                          Efforts Have Been Made, but Manager and Employee\n                       Noncompliance With Security Policies and Procedures Puts\n                               Personally Identifiable Information at Risk\n\n\napproximately 240 computer systems and more than 1,500 databases. Some of those employees\nare required to take sensitive taxpayer information out of the office on laptop computers to carry\nout their audit and collection responsibilities, increasing the risk that information could be lost or\nstolen.\nThe IRS has taken several noteworthy actions to protect taxpayer data in its possession. For\nexample, it has established a Security Services and Privacy Executive Steering Committee to\nserve as the primary governance body for all matters relating to security and privacy issues in the\nIRS. In addition, it has made steady progress each year in complying with the requirements of\nthe Federal Information Security Management Act of 2002.2 Of particular note is that nearly all\nemployees and contractors receive annual security awareness training.\nHowever, our reviews during Fiscal Years 2003 \xe2\x80\x93 2007 have identified persistent computer\nsecurity weaknesses that continue to jeopardize the security of PII. We continue to identify that\nemployees are not aware of the security risks inherent in their positions. Employees did not\nsufficiently safeguard laptop computers and did not encrypt data on the computers. Employees\nhave also shown they are susceptible to social engineering techniques that hackers could use to\ngain access to their systems, and they continue to ignore IRS policies on the use of email, which\nincreases potential security vulnerabilities. Even employees with key security responsibilities\ncontinue to ignore standard security configurations, often for their own convenience.\nOur audits have shown that managers provide employees access to systems and data they do not\nneed. In many cases, managers are not aware of the access capabilities of their employees. A\nfundamental goal of the IRS\xe2\x80\x99 computer modernization activities has been to provide more\ninformation to employees to improve their effectiveness and efficiency. New systems being\ndeveloped will have the capability to provide even more information to these employees, which\ncould actually increase the risk that the privacy of taxpayer information will be violated. The\nIRS will have to be more diligent in limiting employee access to a need-to-know basis.\nWe have also found that technical controls in modernized systems and the security infrastructure\nare inadequate. Although industry guidance recommends that security controls be designed into\nnew systems early in the development process, security has not been at the forefront when new\nsystems are developed in the IRS. Waiting until systems are implemented to address security\ncontrols will most likely cost significantly more than if security controls had been considered\nduring the development of the systems. We have also found that audit trails3 for detecting\ninappropriate accesses to taxpayer information on modernized systems are not being reviewed\nand retained.\n\n\n\n2\n  Pub. L. No. 107-347, Title III, 116 Stat. 2946 (2002).\n3\n  An audit trail is a chronological record of activities that allow for the reconstruction, review, and examination of a\ntransaction from inception to final results. Audit trails can be used to detect unauthorized accesses to PII.\n                                                                                                                           2\n\x0c                      Efforts Have Been Made, but Manager and Employee\n                   Noncompliance With Security Policies and Procedures Puts\n                           Personally Identifiable Information at Risk\n\n\nIt is clear that some IRS executives are not holding managers and employees accountable for\ncarrying out their responsibilities and for ensuring managers and employees are aware of the\nsecurity risks associated with their positions. For the IRS to make greater strides in improving\ncomputer security and protecting PII, managers and employees must be aware of the security\nrisks inherent to their positions and consider security implications in their day-to-day activities.\nExecutives must clearly communicate expectations that procedures will be followed and take\nappropriate actions when procedures are not followed.\n\nRecommendations\nBecause we have already made recommendations related to the aforementioned issues in our\nprior audit reports and the IRS is taking actions to address these deficiencies, no additional\nrecommendations were made. We will continue to monitor the IRS\xe2\x80\x99 overall strategy and ability\nto protect and secure PII in future security-related reviews, where we may evaluate and report on\nthe completion and effectiveness of actions taken to address security deficiencies.\n\nResponse\nThe IRS agreed that, while progress is being made, more needs to be done to ensure the issue of\nprivacy and security over PII is a fundamental and top priority. The IRS will continue to update\nits systems, processes, and training so employees are aware of the steps they must take to prevent\ntaxpayer information from being compromised. Management\xe2\x80\x99s complete response to the draft\nreport is included as Appendix V.\nCopies of this report are also being sent to the IRS managers affected by the report. Please\ncontact me at (202) 622-6510 if you have questions or Margaret E. Begg, Assistant Inspector\nGeneral for Audit (Information Systems Programs), at (202) 622-8510.\n\n\n\n\n                                                                                                       3\n\x0c                            Efforts Have Been Made, but Manager and Employee\n                         Noncompliance With Security Policies and Procedures Puts\n                                 Personally Identifiable Information at Risk\n\n\n\n\n                                             Table of Contents\n\nBackground ..........................................................................................................Page 1\n\nResults of Review ...............................................................................................Page 3\n          Management Has Taken Actions to Improve the Privacy of\n          Sensitive Data ...............................................................................................Page 3\n          Managers and Employees Are Not Complying With Established\n          Security Policies and Procedures ..................................................................Page 4\n\nAppendices\n          Appendix I \xe2\x80\x93 Detailed Objective, Scope, and Methodology ........................Page 18\n          Appendix II \xe2\x80\x93 Major Contributors to This Report ........................................Page 19\n          Appendix III \xe2\x80\x93 Report Distribution List .......................................................Page 20\n          Appendix IV \xe2\x80\x93 List of Security-Related Audit Reports................................Page 21\n          Appendix V \xe2\x80\x93 Management\xe2\x80\x99s Response to the Draft Report .......................Page 22\n\x0c          Efforts Have Been Made, but Manager and Employee\n       Noncompliance With Security Policies and Procedures Puts\n               Personally Identifiable Information at Risk\n\n\n\n\n                    Abbreviations\n\nIDRS          Integrated Data Retrieval System\nIRS           Internal Revenue Service\nPII           Personally Identifiable Information\n\x0c                         Efforts Have Been Made, but Manager and Employee\n                      Noncompliance With Security Policies and Procedures Puts\n                              Personally Identifiable Information at Risk\n\n\n\n\n                                             Background\n\nThe American public and Congress have become increasingly concerned about the protection of\npersonally identifiable information (PII)1 and identity theft. The Social Security Administration\nreports identity theft is one of the fastest growing crimes in America and encourages every\ncitizen to protect his or her Social Security Number. The\nCommerce Department estimates more than 50 million\n                                                                     Identity theft is widely\nidentities were compromised in 2005, and the Federal Trade         reported as the largest and\nCommission reported it receives about 20,000 contacts from          fastest growing crime in\nconsumers each week about identity theft.                          America. The Federal Trade\n                                                                                 Commission receives\nSeveral recent security breaches in private industry have           about 20,000 complaints or\nmade newspaper headlines. One recent example of identity             inquiries each week from\ntheft, which was widely reported in the news media on                consumers    about identity\nDecember 14, 2006, linked identity theft to illegal                             theft.\nimmigration. Federal agents from the Immigration and\nCustoms Enforcement agency raided 6 meatpacking plants\nin 6 States and arrested 1,282 illegal workers for stealing the identities of American citizens.\nThe investigation determined that illegal immigrants had obtained Social Security Numbers and\nother PII from a variety of document fraud rings and vendors.\nBecause the Federal Government maintains a large quantity of PII, its agencies could be prime\ntargets for identity theft. The Internal Revenue Service (IRS) stores PII for more than\n130 million individual taxpayers who file their income tax returns each year with the IRS. Each\ntax return includes the filer\xe2\x80\x99s name, address, Social Security Number, and other personal\ninformation. Approximately 30 percent of the returns also include the names and Social Security\nNumbers of at least one dependent. In addition, the IRS maintains PII on its employees and\ncontractors. The IRS identified the security of its computer systems as a high priority in its\n2005 \xe2\x80\x93 2009 Strategic Plan and designated security as a material weakness under the Federal\nManagers\xe2\x80\x99 Financial Integrity Act of 1982.2\nThe challenge to protect PII from unauthorized disclosure is related not only to the magnitude of\nthe data but also the complexity of ever-changing technology and the number of computer\nsystems the IRS operates. The IRS processes and maintains PII using more than 240 computer\nsystems and 1,500 databases. Most of its approximately 100,000 employees and contractors\n\n\n1\n  PII includes any information about an individual maintained by an agency including, but not limited to, education,\nfinancial transactions, medical history, criminal or employment history, and information that can be used to\ndistinguish or trace an individual\xe2\x80\x99s identity, such as name, Social Security Number, date and place of birth, etc.\n2\n  31 U.S.C. Sections 1105, 1113, 3512 (2000).\n                                                                                                             Page 1\n\x0c                           Efforts Have Been Made, but Manager and Employee\n                        Noncompliance With Security Policies and Procedures Puts\n                                Personally Identifiable Information at Risk\n\n\n\nhave access to at least some of these data on a daily basis. To compound the risk that\ninformation could be lost or stolen, some IRS employees must take PII outside of their offices on\nlaptop computers to carryout their audit and collection responsibilities. The competing goals of\nprotecting PII and achieving workplace efficiencies become even more difficult as technology\nevolves and becomes faster and more complex.\nTo reinforce requirements for agencies to secure PII, Congress passed the Consolidated\nAppropriations Act of 20053 on December 8, 2004. The Act requires Federal Government\nagencies to appoint a Chief Privacy Officer with the primary responsibility of privacy and data\nprotection. The Chief Privacy Officer is required to establish comprehensive policies and\nprocedures and test the procedures to ensure they are followed. The Act also requires each\nagency\xe2\x80\x99s Inspector General to review the policies and procedures related to PII and conduct\nreviews at least every 2 years to ensure it is adequately protected.\nThis review was performed in the office of the Chief, Mission Assurance and Security Services,\nat the IRS National Headquarters in Washington, D.C., during the period December 2006\nthrough March 2007. This review relied on audit results from Treasury Inspector General for\nTax Administration security-related reports issued during Fiscal Years 2003 \xe2\x80\x93 2007. The audits\nreferenced in this report were conducted in accordance with Government Auditing Standards and\nare listed in Appendix IV. Detailed information on our audit objective, scope, and methodology\nis presented in Appendix I. Major contributors to the report are listed in Appendix II.\n\n\n\n\n3\n    Public Law 108-447, 118 Stat. 2268, 5 U.S.C. 522a.\n                                                                                           Page 2\n\x0c                            Efforts Have Been Made, but Manager and Employee\n                         Noncompliance With Security Policies and Procedures Puts\n                                 Personally Identifiable Information at Risk\n\n\n\n\n                                         Results of Review\n\nManagement Has Taken Actions to Improve the Privacy of Sensitive\nData\nIRS executives and managers have taken several actions to protect PII. A Security Services and\nPrivacy Executive Steering Committee was established in June 2006 to serve as the primary\ngovernance body for all matters relating to security services and privacy planning. The\nCommittee is chaired by the Chief, Mission Assurance and Security Services, and includes\nrepresentatives from each of the IRS business units. Each member is responsible for collecting\nand reporting on all privacy and security areas of concern.\nAnother important action to create a strong security environment was taken by the IRS\nCommissioner on June 1, 2006, when he issued an email to IRS managers emphasizing the\nimportance of safeguarding PII. The Commissioner instructed all managers to:\n           Remind every IRS employee and contractor of their responsibility to safeguard\n           taxpayer, employee, and all other personally identifiable information . . . and\n           ensure that your employees are familiar with the policies and procedures the IRS\n           has enacted to avoid privacy breaches.\nThe Commissioner has also continued his efforts to dispel the perception that security is solely\nthe responsibility of the Mission Assurance and Security Services organization by reminding\nexecutives that all managers and employees are responsible for the security of PII.\nThe importance of protecting PII will be emphasized in a video scheduled for distribution to IRS\nemployees in the third quarter of Fiscal Year 2007. The video will include statements by the IRS\nCommissioner and the Treasury Inspector General for Tax Administration. One such statement\nmade in the video will be, \xe2\x80\x9c. . . it is vital that every employee remain sensitive and vigilant to\ntheir commitment and responsibility to protect government equipment and PII.\xe2\x80\x9d We believe\nthese high-level actions from the top level of the organization send a strong message to all\nemployees and are critical in transforming the IRS into a security-conscious organization.\nThe IRS has also made steady progress in recent years to comply with the Federal Information\nSecurity Management Act of 2002.4 For Fiscal Year 2006, the IRS reported its computer\n\n\n\n\n4\n    Pub. L. No. 107-347, Title III, 116 Stat. 2946 (2002).\n                                                                                              Page 3\n\x0c                         Efforts Have Been Made, but Manager and Employee\n                      Noncompliance With Security Policies and Procedures Puts\n                              Personally Identifiable Information at Risk\n\n\n\nsystems had a certification and accreditation5 rate of 95 percent, which is an improvement\nover Fiscal Year 2005 when only 35 percent of the systems were certified and accredited.\nDuring Fiscal Year 2006, the IRS reassessed the security risks of its computer systems, and we\nare confident that the inventory is substantially complete and the risk categorizations of the\ncomputer systems are accurate. The IRS also provided annual security awareness training to\nnearly all of its employees and contractors.\nThe IRS satisfied a major requirement of the Consolidated Appropriations Act of 2005 by\nappointing a Chief Privacy Officer to assume responsibility for privacy and data protection\npolicies. The Chief Privacy Officer completed a comprehensive assessment6 of the IRS privacy\nand data protection procedures and made recommendations to strengthen the controls.\nThe IRS also established an Identity Theft Program Office to identify security threats to itself\nand taxpayers and to develop approaches to best protect against the threats. To fulfill its\nresponsibilities, the Identity Theft Program Office contracted with Deloitte Consulting to\nperform an identity theft risk assessment. The assessment, completed October 16, 2006,\nidentified 113 business processes containing taxpayer information and characterized 48 of those\nprocesses as high priority from a risk perspective. IRS management selected 36 of the\nhigh-priority processes for indepth reviews.\n\nManagers and Employees Are Not Complying With Established\nSecurity Policies and Procedures\nWhile progress is being made, our prior reviews have identified persistent issues that continue to\nplace the privacy and security of PII at risk. It is clear that some IRS executives are not holding\nmanagers and employees accountable for carrying out their responsibilities and are not ensuring\nmanagers and employees are aware of the security risks associated with their positions. For the\nIRS to make greater strides in improving computer security and protecting PII, managers and\nemployees must be aware of the security risks inherent to their positions and consider security\nimplications in their day-to-day activities. Executives must clearly communicate expectations\nthat procedures will be followed and take appropriate actions when procedures are not followed.\nThe remainder of this report highlights some of the most significant security and privacy issues\nwe have previously reported.\n\n\n\n\n5\n  Security certification is a comprehensive assessment of the management, operational, and technical security\ncontrols in an information system, made in support of an accreditation, to determine the extent to which the controls\nare implemented correctly and operating as intended. Accreditation is the official management decision given by\nthe owner of the information system to authorize the operation of the system and to explicitly accept the risks.\n6\n  Policy and Process Review \xe2\x80\x93 Protection of Personally Identifiable Information (PII), dated June 26, 2006.\n                                                                                                             Page 4\n\x0c                       Efforts Have Been Made, but Manager and Employee\n                    Noncompliance With Security Policies and Procedures Puts\n                            Personally Identifiable Information at Risk\n\n\n\nEmployees did not safeguard laptop computers7\nThe IRS lost at least 490 computers and other sensitive data from 387 separate incidents between\nJanuary 2, 2003, and June 13, 2006. For the\n387 incidents, we determined it was unlikely that\n176 incidents involved taxpayer data. For the remaining           We were unable to determine\n                                                                 the full impact to the taxpayers\n211 incidents, we analyzed the incident writeups as of               on many of the incidents\nJune 2006 and found 126 incidents contained sufficient             involving the loss or theft of\ndetails to show that personal information for at least             computer equipment and/or\n2,359 individuals was involved with the incidents. We                      taxpayer data.\nwere unable to identify the nature of the data loss and\nthe identity of taxpayers whose information may have\nbeen lost for the other 85 incidents due to a lack of detail in the incident writeups.\nEmployee negligence contributed to some of the losses. For example, 111 incidents occurred\nwithin IRS facilities, indicating employees were likely not storing their laptop computers in\nlockable cabinets while the employees were away from the office. Further, because a large\nnumber of laptop computers were stolen from vehicles and employees\xe2\x80\x99 residences, employees\nmay not have secured their laptop computers in the trunks of their vehicles or locked their laptop\ncomputers at home. Sufficient documentation was not available to evaluate the circumstances\nsurrounding most of the 387 incidents. However, we determined that at least 24 of the incidents\ncould have been prevented if employees had followed IRS policies and procedures.\n    \xe2\x80\xa2   Fourteen incidents involved employees storing the laptop computers in unlocked\n        vehicles, in the front seat or back seat of their vehicles, or forgetting to place computers\n        into their vehicles.\n    \xe2\x80\xa2   Seven incidents involved employees leaving computers on buses and trains and at\n        airports.\n    \xe2\x80\xa2   Three incidents occurred because employees checked their computers as luggage at an\n        airport.\nThe 24 incidents involved personally identifiable information for 480 individuals. The loss of\nthese records, which consisted of taxpayer and employee information, could have been prevented\nif employees had taken more care to safeguard the computers.\nWe obtained information on whether disciplinary actions were taken against the responsible\nemployees for 18 of the 24 incidents and found that only 1 employee involved in the 18 incidents\nwas disciplined. The IRS\xe2\x80\x99 own guide for penalty determinations indicates the loss of Federal\nGovernment property may result in discipline ranging from a written reprimand to a 14-day\n\n\n7\n The Internal Revenue Service Is Not Adequately Protecting Taxpayer Data on Laptop Computers and Other\nPortable Electronic Media Devices (Reference Number 2007-20-048, dated March 23, 2007).\n                                                                                                     Page 5\n\x0c                       Efforts Have Been Made, but Manager and Employee\n                    Noncompliance With Security Policies and Procedures Puts\n                            Personally Identifiable Information at Risk\n\n\n\nsuspension for a first offense. We believe disciplining employees for security violations\nresulting from negligence or carelessness could deter others from neglecting their responsibilities\nfor protecting Federal Government property.\nWe recommended the Chief, Mission Assurance and Security Services:\n    1. Provide employees periodic reminders of their responsibilities for protecting computer\n       devices, which, at a minimum, should include storing laptop computers in locking\n       cabinets in the office, storing laptop computers in the trunks of vehicles, and securing\n       laptop computers at home or alternate work locations.\n    2. Periodically publicize an explanation of employees\xe2\x80\x99 responsibilities for preventing the\n       loss of computer equipment and taxpayer data, the associated disciplinary penalties for\n       negligence over these responsibilities, and a statistical summary of actual violations and\n       disciplinary actions relating to loss of computer equipment and taxpayer data.\nThe IRS agreed with our finding and recommendations. The IRS also informed us that it has\ntaken the following additional actions to address the loss of PII:\n    \xe2\x80\xa2   Established a policy to notify individuals of the loss of their PII.\n    \xe2\x80\xa2   Defined roles and responsibilities in the IRS\xe2\x80\x99 incident management process.\n    \xe2\x80\xa2   Created a PII Incident Risk Analysis Methodology that it will use to categorize incidents\n        and determine the appropriate IRS response.\n    \xe2\x80\xa2   Created a PII Incident Notification Letter, which will be used to notify individuals whose\n        PII has been compromised.\n\nEmployees were not encrypting PII on their laptop computers and other\nelectronic media8\nWe selected 100 laptop computers from 4 IRS offices that support the Wage and Investment,\nSmall Business/Self-Employed, and Large and Midsize Business Divisions and found that\n44 of the 100 laptop computers contained unencrypted PII data such as:\n    \xe2\x80\xa2   Individual Income Tax Returns (Form 1040).\n    \xe2\x80\xa2   U.S. Corporation Income Tax Returns (Form 1120).\n    \xe2\x80\xa2   Audit-related information, such as case history on current audits and financial data of\n        taxpayers being audited.\n    \xe2\x80\xa2   Various IRS forms with Social Security Numbers.\n\n8\n The Internal Revenue Service Is Not Adequately Protecting Taxpayer Data on Laptop Computers and Other\nPortable Electronic Media Devices (Reference Number 2007-20-048, dated March 23, 2007).\n                                                                                                     Page 6\n\x0c                         Efforts Have Been Made, but Manager and Employee\n                      Noncompliance With Security Policies and Procedures Puts\n                              Personally Identifiable Information at Risk\n\n\n\n    \xe2\x80\xa2    Employee evaluations, timesheets, and applications for reassignment.\nIn addition to the lack of encryption of PII on laptop computers, we found other computer\ndevices on which PII was not always encrypted. Of the 100 employees in our sample, we found\n54 were using various other electronic devices such as floppy disks, CDs, and DVDs to store\nunencrypted PII. Employees were using unencrypted CDs to backup taxpayer case information,\nto store grand jury information,9 and to retain other PII provided by taxpayers.\nThe Office of Management and Budget requires agencies to ensure PII is encrypted on laptop\ncomputers and other electronic devices. To help employees encrypt the data, the IRS provided\ntwo encryption tools. First, laptop computers were configured to encrypt PII residing in specific\nfile folders on the laptop computer\xe2\x80\x99s internal hard drive. This encryption tool is part of the\ncomputer\xe2\x80\x99s operating system. Employees need only save PII to these folders and the computer\nwill automatically encrypt the data. The second encryption tool provided by IRS management is\nthe WinZip software program, which is particularly useful when encrypting files not stored on\nthe computers\xe2\x80\x99 internal drive, such as CDs and DVDs.\nDespite the availability of the encryption tools, employees frequently chose not to encrypt PII.\nThe employees placed the PII outside of the designated file folders for their own convenience or\nbecause they were unaware of the requirement to place the PII into the file folders. Some\nemployees did not know their personal data were considered PII.\nBy not encrypting PII on laptop computers and other electronic devices, the IRS is needlessly\nexposing the data to unauthorized access, theft, or loss.\nWe recommended the Chief Information Officer:\n    1. Include a reminder, in the annual certification of security awareness, that employees\n       should store encrypted sensitive information in a secure location on their laptop\n       computers and show them how to use commercial software approved by the IRS to\n       encrypt sensitive data on electronic media devices, such as flash drives.\n    2. Require front-line managers to periodically check their employees\xe2\x80\x99 laptop computers to\n       ensure encryption solutions are being used by employees and sensitive data are encrypted\n       properly.\n    3. Consider implementing a systemic disk encryption solution on laptop computers. When\n       the entire hard drive is encrypted, employees will no longer have to determine what data\n       need to be encrypted. This solution will supplement the two existing encryption solutions\n       previously discussed.\n\n\n9\n  Grand jury information is all matters occurring before the grand jury. The grand jury is a jury of 12 to 23 persons\nconvening in private sessions to evaluate accusations against persons charged with a crime and to determine whether\nthe evidence warrants a bill of indictment.\n                                                                                                             Page 7\n\x0c                        Efforts Have Been Made, but Manager and Employee\n                     Noncompliance With Security Policies and Procedures Puts\n                             Personally Identifiable Information at Risk\n\n\n\nThe IRS agreed with our finding and recommendations. On March 5, 2007, the IRS informed us\nit had implemented a systemic disk encryption solution on laptop computers. This solution is\nintended to encrypt the entire hard drive of the laptop computer and requires access\nauthentication, via login and password, whenever the laptop has been turned off. If the laptop\ncomputer is lost or stolen, unauthorized users would likely be unable to access any data on the\nhard drive.\n\nEmployees continue to be susceptible to social engineering attempts10\nWe were able to convince 61 managers and employees to give us their usernames and to change\ntheir passwords to one that we suggested. We conducted this review by calling 102 managers\nand employees and posing as computer support helpdesk personnel seeking assistance to correct\na network problem. This common hacker tactic is referred to as social engineering, which\ninvolves exploiting the human aspect of computer security for the purpose of gaining insider\ninformation about an organization\xe2\x80\x99s computer resources.\nThe IRS\xe2\x80\x99 computer security procedures require employees to protect their usernames and\npasswords. Managers and employees must acknowledge the computer security rules prior to\nobtaining access to any IRS computer systems and annually recertify they are aware of their\nresponsibilities. In addition, the IRS has posted these requirements and password security rules\non its internal web site. The web site also has a document describing social engineering and\nproviding examples of social engineering attempts, specifically mentioning the use of telephone\ncalls to conduct social engineering attacks. While these awareness efforts are notable, our tests\ncontinue to show that some managers and employees still do not understand the rudimentary\ncomputer security practices of protecting their passwords.\nThe above conditions were particularly alarming because we had conducted similar social\nengineering test telephone calls in August 2001 and December 2004. Our August 2001 and\nDecember 2004 test calls yielded a 71 percent and 35 percent noncompliance rate, respectively.\nIn response to these two prior audits, the IRS took corrective actions to raise awareness over\npassword protection requirements and social engineering attempts. However, the corrective\nactions have not been effective. Based on the results of this audit, we concluded employees\neither do not fully understand security requirements for password protection or do not place a\nsufficiently high priority on protecting taxpayer data in their day-to-day work. In an attempt to\nbetter understand employee behavior, we asked the employees in our sample why they did not\ncomply with guidelines for protecting their passwords. Some of the notable reasons given were\nthat they thought the scenario sounded legitimate and believable, did not think that changing\ntheir password was the same as disclosing their password, or had experienced past computer\nproblems.\n\n10\n  Employees Continue to Be Susceptible to Social Engineering Attempts That Could Be Used by Hackers\n(Reference Number 2007-20-107, dated July 20, 2007).\n\n                                                                                                      Page 8\n\x0c                        Efforts Have Been Made, but Manager and Employee\n                     Noncompliance With Security Policies and Procedures Puts\n                             Personally Identifiable Information at Risk\n\n\n\nWhen employees are susceptible to social engineering attempts, the IRS is at risk of providing\nunauthorized persons access to computer resources and taxpayer data. With an employee\xe2\x80\x99s\nusername and password, a hacker could gain access to PII on IRS computer systems. The hacker\nwould gain the same access privilege as the employee. Even more significant, a disgruntled\nemployee could use the same social engineering tactics to obtain another employee\xe2\x80\x99s username\nand password. With insider knowledge of IRS systems and applications, the disgruntled\nemployee could more easily gain unauthorized access to IRS data as well as disrupt computer\noperations.\nWe recommended the Chief, Mission Assurance and Security Services, continue security\nawareness activities to remind employees of the potential social engineering attempts, conduct\ninternal social engineering tests on a periodic basis to increase employee awareness of the need\nto protect usernames and passwords, and coordinate with business units to emphasize the need to\ndiscipline employees for security violations resulting from negligence or carelessness.\nThe IRS agreed with our findings and recommendations.\n\nEmployees were not following the IRS email use policy11\nTo determine whether IRS employees were complying with the IRS\xe2\x80\x99 personal use policy, we\nselected a statistical sample of 96 employees from its list of email addresses and reviewed\n46,551 emails received and sent by these employees during June through August 2005. We\nfound 2,576 messages in 71 (74 percent) of the 96 employee mailboxes that violated the IRS\xe2\x80\x99\npersonal use policy. These employees had from 1 to 288 inappropriate emails in their mailboxes.\nSpecifically, we found the following types of inappropriate emails:\n     \xe2\x80\xa2   Chain letters, jokes, and/or pictures accounted for 76 percent of the inappropriate emails.\n         The content is often considered harmless on its own; however, it is well known that these\n         messages present a security threat by being common carriers of malicious software.12\n     \xe2\x80\xa2   Emails containing content considered offensive according to IRS guidelines accounted\n         for 20 percent of the inappropriate emails. These emails contained hate speech and\n         material that ridiculed others on the basis of race, creed, religion, color, sex, disability,\n         national origin, or sexual orientation.\n     \xe2\x80\xa2   Emails containing sexually oriented content, prohibited activities, and/or large files\n         accounted for the remaining 4 percent of the inappropriate messages. Prohibited\n         activities include activities conducted for commercial purposes, in support of for-profit\n         activities, or in support of other outside employment.\n\n11\n   Inappropriate Use of Email by Employees and System Configuration Management Weaknesses Are Creating\nSecurity Risks (Reference Number 2006-20-110, dated July 31, 2006).\n12\n   Malicious software is designed to infiltrate or damage a computer system, without the owner\xe2\x80\x99s consent. It\nincludes computer viruses, spyware, and adware.\n                                                                                                         Page 9\n\x0c                         Efforts Have Been Made, but Manager and Employee\n                      Noncompliance With Security Policies and Procedures Puts\n                              Personally Identifiable Information at Risk\n\n\n\nFigure 1 summarizes these email policy violations by type.\n                            Figure 1: Email Policy Violations by Type\n\n                                 Chain Letters                                1,953\n\n                                 Offensive Content                            528\n                                 Sexually Oriented Content                     55\n                                 Prohibited Activities                         22\n                                 Large Files (graphics, video, sound, etc.)    18\n\n                                 TOTAL                                        2,576\n\n                              Source: Our analysis of a sample of 96 IRS employees\xe2\x80\x99\n                              email messages.\n\nIn May 2002, the IRS implemented a limited personal use policy for the Internet, email, and\nother equipment and resources.13 The policy cautions employees to conduct themselves\nprofessionally and to refrain from using Federal Government information technology equipment\nfor activities that are inappropriate based on established standards of conduct. The IRS considers\nemail as inappropriate if it contains large, nonbusiness file attachments; chain letters; jokes;\nmaterial that is offensive to other employees; or sexually oriented material. Email pertaining to\nillegal activities and other outside activities, such as running a business, fundraising, or restricted\npolitical activity, is also considered inappropriate.\nWe believe the high number of email policy violations occurred because the IRS has not\neffectively monitored the email of its employees to ensure compliance with the policy and has\ntaken relatively few disciplinary actions on those employees who violate the policy. Between\nFiscal Years 2003 and 2005, the IRS disciplined only 283 employees for abuse of email\nprivileges. Of the 283 employees, 193 received written or oral counseling; 86 received formal\ndisciplinary actions including admonishments, reprimands, suspensions, and removal; and\n4 resigned. One additional case was referred to the Treasury Inspector General for Tax\nAdministration Office of Investigations.\nThe large number of inappropriate emails places the IRS network at risk. For example,\nmalicious software could be attached to these emails that could destroy data on the computer,\nenable unauthorized persons to access PII, and/or disrupt computer operations by causing a\ndenial of service attack.14\n\n\n13\n  IRS Policy on Limited Personal Use of Government Information Technology Equipment/Resources.\n14\n  A denial of service attack inundates a computer system or network with traffic that overloads the system\nresources, causing them to cease operations or lose network connectivity.\n                                                                                                             Page 10\n\x0c                       Efforts Have Been Made, but Manager and Employee\n                    Noncompliance With Security Policies and Procedures Puts\n                            Personally Identifiable Information at Risk\n\n\n\nIn addition to the security risks, the performance and efficiency of the IRS\xe2\x80\x99 computing network\nis degraded by the number and size of inappropriate email messages. Many of the sampled\nmessages contained graphics, sound, video, and/or animations that significantly increased the\nsizes of the files. Inclusion of these unnecessary features in an email message often increases a\nmessage\xe2\x80\x99s size from 10 times to 50 times the size of a normal text message, causing the system\nto operate slower and less efficiently, and creates the need for additional storage capacity that\ncan be costly.\nOffensive and inappropriate content in messages can also damage employee relationships and\nlead to adverse personnel actions or potential lawsuits. When forwarded to outside recipients,\nthese messages could also invite high-profile media attention, thus damaging the IRS\xe2\x80\x99 reputation.\nWe recommended the Chief, Mission Assurance and Security Services:\n     1. Continue to emphasize the risks associated with inappropriate email use. If reminders\n        that disciplinary actions have been taken against employees for email abuse are added to\n        existing security awareness training, the number of violations may be reduced.\n     2. Consider implementing a program of monitoring email message content, which could\n        subsequently increase the number of employees disciplined for abusing their email\n        privileges. This approach will require a commitment of additional resources. However,\n        considering the risks of subjecting the IRS network to malicious software, we believe this\n        commitment is necessary.\nThe IRS agreed with our findings and recommendations.\n\nManagers gave employees access to systems they did not need15\nIn an audit covering five systems in several IRS offices, managers and system administrators did\nnot ensure user accounts for employees were removed from systems when employees left the\nIRS, transferred to another function, or changed job responsibilities. We identified\n139 (21 percent) of 652 employees with active user accounts who, according to their managers,\nno longer had a business need to have system access. Keeping unneeded user accounts active\nincreased the risk that unauthorized users could gain access to taxpayer data.\nFor the 513 employees who had a need to access the systems, we found no documentation that\n128 (25 percent) had been properly authorized. Without the documentation, it was impossible to\ndetermine how these employees obtained access to the systems. We believe either managers did\nnot carry out their responsibilities for formally approving employees\xe2\x80\x99 access or system\nadministrators may have added employees to systems without a manager\xe2\x80\x99s authorization. When\n\n\n\n15\n Managers and System Administrators Need to Limit Employees\xe2\x80\x99 Access to Computer Systems (Reference\nNumber 2005-20-097, dated July 2005).\n                                                                                                     Page 11\n\x0c                          Efforts Have Been Made, but Manager and Employee\n                       Noncompliance With Security Policies and Procedures Puts\n                               Personally Identifiable Information at Risk\n\n\n\nthese employees leave the IRS or no longer need access to a system, their managers may not\nknow they had access and the accounts will remain active.\nA fundamental goal of the IRS\xe2\x80\x99 computer modernization activities has been to provide more\ninformation to employees to improve their effectiveness and efficiency. New systems being\ndeveloped will have the capability to provide even more information to these employees, which\ncould actually increase the risk that the privacy of taxpayer information will be violated. The\nIRS will have to be more diligent in limiting employee access to a need-to-know basis.\nWe recommended the Chief Information Officer:\n     \xe2\x80\xa2   Enforce current procedures by configuring systems to automatically disable employees\xe2\x80\x99\n         accounts after 45 days of inactivity and to automatically delete the accounts after 90 days\n         of inactivity.\nWe also recommended the Chief, Mission Assurance and Security Services:\n     \xe2\x80\xa2   Coordinate with the business units to include tests of access controls during annual\n         self-assessments required by the Federal Information Security Management Act. These\n         reviews should reinforce to business unit managers the need to limit access to systems.\nThe IRS agreed with our findings and recommendations.\n\nManagers were not consistently reviewing audit trail16 information to identify\nunauthorized accesses to taxpayer accounts17\nWe determined a majority of IRS managers were not investigating potential unauthorized\naccesses to the Integrated Data Retrieval System (IDRS).18 The IDRS is a mission critical\nsystem that contains PII such as taxpayers\xe2\x80\x99 names, Social Security Numbers, birth dates,\naddresses, and income. As stated earlier, the IRS operates about 240 computer systems that\nprocess PII. The IDRS is one such computer system on which audit trails are maintained and\nreviewed for questionable accesses.\nIRS business unit managers must review and certify the following four IDRS Security Reports\nusing the IDRS Online Reports Services system:19\n\n\n\n16\n   An audit trail is a chronological record of activities that allow for the reconstruction, review, and examination of a\ntransaction from inception to final results. Audit trails can be used to detect unauthorized accesses to PII.\n17\n   Increased Managerial Attention Is Needed to Ensure Taxpayer Accounts Are Monitored to Detect Unauthorized\nEmployee Accesses (Reference Number 2006-20-111, dated July 24, 2006).\n18\n   IRS computer system capable of retrieving or updating stored information; it works in conjunction with a\ntaxpayer\xe2\x80\x99s account records.\n19\n   This system is a web-based application that provides business unit managers and data security staffs online access\nto security reports based on the IDRS audit trail information.\n                                                                                                               Page 12\n\x0c                     Efforts Have Been Made, but Manager and Employee\n                  Noncompliance With Security Policies and Procedures Puts\n                          Personally Identifiable Information at Risk\n\n\n\n   \xe2\x80\xa2   Sensitive Access Report \xe2\x80\x93 Issued weekly; identifies IRS employees who have accessed\n       another employee\xe2\x80\x99s or an employee\xe2\x80\x99s spouse\xe2\x80\x99s tax accounts. The IRS requires business\n       unit managers to determine whether employees made these accesses for work-related\n       reasons. Business unit managers must take appropriate steps, including research on the\n       IDRS and review of case assignment files, to identify the employees\xe2\x80\x99 reasons for the\n       accesses. If needed, business unit managers may also interview the employees.\n   \xe2\x80\xa2   Security Violations Report \xe2\x80\x93 Issued weekly; identifies unsuccessful logon attempts and\n       employees who left their computers without logging off. Business unit managers should\n       discuss these violations with their employees to determine whether unauthorized persons\n       were trying to guess their passwords and whether the employees need additional training\n       on using the IDRS.\n   \xe2\x80\xa2   IDRS Security Profile Reports (2 reports) \xe2\x80\x93 Issued monthly and quarterly; identifies\n       employees\xe2\x80\x99 capabilities on the IDRS and attempted accesses to taxpayer accounts using\n       unauthorized command codes. Business unit managers should review these reports to\n       ensure employees only have the access capabilities they need to perform their\n       responsibilities and to determine whether all attempted accesses to taxpayer accounts\n       using unauthorized command codes were unintentional errors.\nIRS procedures require managers to review and certify the weekly IDRS Security Reports within\n14 calendar days of receipt and the monthly and quarterly Security Profile Reports within\n28 calendar days of receipt. For September 2005, we determined only 42 percent of IRS\nmanagers certified their IDRS Security Reports. Only 36 percent of these certifications were\nperformed timely.\nThe Mission Assurance and Security Services organization and IRS business units have not\nsufficiently emphasized the need for business unit managers to review IDRS security reports and\nhave not held their managers accountable for reviewing these reports on a regular basis. Without\nthese reviews, the IRS cannot detect unauthorized accesses to PII. Employees may be browsing\ntheir neighbors\xe2\x80\x99 or other employees\xe2\x80\x99 tax accounts with little chance of detection.\nWe recommended the Chief, Mission Assurance and Security Services:\n   \xe2\x80\xa2   Coordinate with IRS business units and place emphasis on the review of electronic IDRS\n       Security Reports using the IDRS Online Reports Services system. Periodic compliance\n       reviews should be conducted to ensure business units carry out their responsibilities to\n       review IDRS Security Reports.\nWe also recommended the Deputy Commissioner for Operations Support and the Deputy\nCommissioner for Services and Enforcement:\n   \xe2\x80\xa2   Ensure all business unit managers\xe2\x80\x99 operational review requirements are updated to\n       include a step to validate that all IDRS Online Reports Services system-related reports\n\n                                                                                         Page 13\n\x0c                         Efforts Have Been Made, but Manager and Employee\n                      Noncompliance With Security Policies and Procedures Puts\n                              Personally Identifiable Information at Risk\n\n\n\n         are certified timely (by the manager or designee) and to hold the business unit managers\n         accountable for meeting their security-related responsibilities.\nThe IRS agreed with our findings and recommendations.\n\nKey security employees were not following security procedures, which allowed\nthe IRS network system to remain vulnerable to insider attacks20\nOur reviews of the IRS internal network system have identified persistent security weaknesses.\nIn June 2005, we contracted with a computer security company to provide an objective internal\nnetwork security review. This internal penetration test of the IRS network system identified\nsix high-risk vulnerabilities that could allow an unauthorized person to gain access to PII. The\nfollowing three vulnerabilities are well-known in the hacker community and related to incorrect\nor incomplete installation of software applications:\n     \xe2\x80\xa2   Blank passwords to system administrator accounts on a database application were not\n         changed. When the database application is installed, it contains a system administrator\n         user account with a blank password. The database application vendor instructions and\n         IRS installation procedures require changing the password to one that meets the IRS\n         standard password configuration.\n     \xe2\x80\xa2   Default logons and passwords on another database application were not changed. When\n         the database application is installed, it contains default logons and passwords that are\n         readily available from the Internet. The vendor\xe2\x80\x99s instructions and IRS installation\n         procedures require changing or removing the default logons and passwords.\n     \xe2\x80\xa2   Unneeded services were not removed, and security features such as patches21 were not\n         installed or updated. The operating system vulnerability, known as sadmind, is caused by\n         not removing unneeded services and not adding security features patches. This\n         vulnerability can be used to gain control of the host machine.\nThese three vulnerabilities were also identified and reported in our 2004 Penetration Test report\nand two of the three were reported in our 2003 Penetration Test report.22\nIRS procedures provide adequate guidance to system and database administrators that, if\nfollowed, would have eliminated the above vulnerabilities. However, the vulnerabilities\n\n\n\n20\n   Internal Penetration Test of the Internal Revenue Service\xe2\x80\x99s Networked Computer Systems (Reference\nNumber 2005-20-144, dated September 2005).\n21\n   A patch is a fix of a design flaw in a computer program. Patches must be installed or applied to the appropriate\ncomputer for the flaw to be corrected.\n22\n   Penetration Test of Internal Revenue Service Computer Systems (Reference Number 2004-20-073, dated\nApril 2004) and Penetration Test of Internal Revenue Service Computer Systems (Reference Number 2003-20-082,\ndated March 2003).\n                                                                                                           Page 14\n\x0c                        Efforts Have Been Made, but Manager and Employee\n                     Noncompliance With Security Policies and Procedures Puts\n                             Personally Identifiable Information at Risk\n\n\n\npersisted because system administrators chose to ignore controls for their own convenience and\nwere not held accountable for complying with procedures.\nWhen key security employees such as system administrators and database administrators do not\nfollow IRS procedures, security risks and vulnerabilities exist that could permit the loss of PII.\nThe risk to the IRS network system is especially high because a significant number of employees\nand contractors have access to the network.\nWe recommended the Chief Information Officer:\n     1. Examine the IRS\xe2\x80\x99 internal network to identify and correct the three exploited\n        vulnerabilities. Specifically, the Chief Information Officer should ensure blank\n        passwords for system administrator accounts on the databases are changed, default logons\n        and passwords are changed, and sadmind vulnerabilities on computers with UNIX\n        operating systems are corrected.\n     2. Enforce accountability and increase the awareness of database administrators and system\n        administrators regarding the correct installation procedures for software, particularly\n        database software.\nThe IRS agreed with our findings and recommendations.\n\nThe IRS and its contractors were not integrating security controls into\nmodernized computer systems23\nWe identified several security technical control weaknesses in five modernization systems and\nthe security infrastructure we reviewed, many of which could have been addressed during the\ndevelopment phase24 of the systems as recommended by industry experts. For example, audit\ntrails were not functioning and disaster recovery plans were not considered for the modernized\nsystems we reviewed. In addition, documentation for the modernization systems indicated a lack\nof emphasis on security controls because it provided only general or outdated descriptions of\nsecurity requirements.\nThe Mission Assurance and Security Services organization, the Business Systems Modernization\nOffice (now called the Applications Development organization), and the PRIME contractor25 are\n\n\n23\n   Security Controls Were Not Adequately Considered in the Development and Integration Phases of Modernization\nSystems (Reference Number 2005-20-128, dated August 2005). We judgmentally selected and reviewed the\ne-Services, Internet Refund Fact of Filing, Modernized e-File, Custodial Accounting Project, and Customer Account\nData Engine modernization projects.\n24\n   The development phase of a computer modernization project includes the analysis, design, construction, and\ntesting of the new computer system.\n25\n   The PRIME contractor is the Computer Sciences Corporation, which heads an alliance of leading technology\ncompanies brought together to assist with the IRS\xe2\x80\x99 efforts to modernize its computer systems and related\ninformation technology.\n                                                                                                        Page 15\n\x0c                         Efforts Have Been Made, but Manager and Employee\n                      Noncompliance With Security Policies and Procedures Puts\n                              Personally Identifiable Information at Risk\n\n\n\nresponsible for incorporating security controls into modernization systems. The Mission\nAssurance and Security Services organization is responsible for establishing security standards\nfor all computer systems. The Business Systems Modernization Office is responsible for\nensuring security controls are considered and integrated in modernization systems. For the\nsystems we reviewed, the Business Systems Modernization Office contracted with the PRIME\ncontractor to develop security controls in accordance with IRS standards.\nThe PRIME contractor focused on developing systems that would function but did not provide\nsufficient emphasis on the identification and development of security controls. In addition, the\nMission Assurance and Security Services organization was not sufficiently involved during the\nearly development stages of the systems. More involvement was needed to hold the PRIME\ncontractor accountable and to encourage the contractor to develop adequate security controls\nwhen the systems were being developed.\nWaiting until systems are implemented to address security controls will most likely cost\nsignificantly more than if security controls had been considered during the development of the\nsystems.\nWe recommended the Chief Information Officer:\n     1. Provide oversight to ensure coordination between the Business Systems Modernization\n        Office and its contractors. The Business Systems Modernization Office should retain the\n        overall responsibility for ensuring security controls are provided in the development\n        phase of new projects.\n     2. Revise the Enterprise Life Cycle26 to require disaster recovery planning during the\n        development phase. A complete Disaster Recovery Plan should be required that\n        addresses all modernization systems. During development, computer capacity and\n        business resumption requirements should be gathered and considered.\n     3. Ensure audit trail data captured for the Customer Account Data Engine27 are retained and\n        reviewed to detect unauthorized accesses.\nThe IRS agreed with the finding and the first two recommendations but disagreed with the third\nrecommendation. The log and audit files used by the Customer Account Data Engine system\nprogrammers are established for recovery and diagnostic purposes and do not capture data\nrelated to unauthorized access. Currently, the Customer Account Data Engine has no support for\nexternal data inquiry.\n\n\n\n26\n   The Enterprise Life Cycle is the set of repeatable processes the IRS and its contractors follow to modernize the\nIRS\xe2\x80\x99 computer systems.\n27\n   The Customer Account Data Engine is an online modernization data infrastructure that will house taxpayer\naccounts and tax returns.\n                                                                                                             Page 16\n\x0c                     Efforts Have Been Made, but Manager and Employee\n                  Noncompliance With Security Policies and Procedures Puts\n                          Personally Identifiable Information at Risk\n\n\n\nWe continue to believe audit trail information for the Customer Account Data Engine should be\nretained and reviewed because it currently contains tax information for more than 1.3 million\nreturns that could be accessed by some IRS employees for unauthorized purposes and potentially\nused for identity theft purposes. Accordingly, audit trail information must be maintained to\ncomply with Department of the Treasury requirements.\nWe also recommended the Chief, Mission Assurance and Security Services:\n   4. Participate in the development phase of new systems and ensure security controls are\n      built into the systems.\nThe IRS agreed with the recommendation.\n\n\n\n\n                                                                                       Page 17\n\x0c                     Efforts Have Been Made, but Manager and Employee\n                  Noncompliance With Security Policies and Procedures Puts\n                          Personally Identifiable Information at Risk\n\n\n\n                                                                                  Appendix I\n\n        Detailed Objective, Scope, and Methodology\n\nThe overall objective of this review was to determine the progress the IRS has made in ensuring\nthe security and privacy of PII it maintains. To accomplish our objective, we:\nI.     Summarized the progress the IRS has achieved in securing the privacy of PII.\n       A. Interviewed the Director of the IRS Office of Privacy and Information Protection to\n          determine the progress achieved during Fiscal Years 2003 \xe2\x80\x93 2007. We reviewed\n          documentation provided by the Director of the Office of Privacy and Information\n          Protection.\n       B. Reviewed the Treasury Inspector General for Tax Administration security-related\n          audit reports issued during Fiscal Years 2003 \xe2\x80\x93 2007 and identified the positive issues\n          reported.\n       C. Reviewed the policy and process review entitled, \xe2\x80\x9cProtection of Personally\n          Identifiable Information,\xe2\x80\x9d that was completed by the IRS Chief Privacy Officer on\n          June 26, 2006.\n       D. Reviewed the Identity Theft Risk Assessment report prepared by Deloitte Consulting\n          on October 16, 2006.\nII.    Reviewed audit reports issued by the Treasury Inspector General for Tax Administration\n       during Fiscal Years 2003 \xe2\x80\x93 2007 to identify the most significant security-related\n       weaknesses reported.\nIII.   Identified the overall causes for the weaknesses identified in Step II.\n\n\n\n\n                                                                                         Page 18\n\x0c                    Efforts Have Been Made, but Manager and Employee\n                 Noncompliance With Security Policies and Procedures Puts\n                         Personally Identifiable Information at Risk\n\n\n\n                                                                              Appendix II\n\n                 Major Contributors to This Report\n\nMargaret E. Begg, Assistant Inspector General for Audit (Information Systems Programs)\nSteve Mullins, Director\nKent Sagara, Audit Manager\nAllen Gray, Lead Auditor\nMyron Gulley, Senior Auditor\n\n\n\n\n                                                                                     Page 19\n\x0c                    Efforts Have Been Made, but Manager and Employee\n                 Noncompliance With Security Policies and Procedures Puts\n                         Personally Identifiable Information at Risk\n\n\n\n                                                                 Appendix III\n\n                         Report Distribution List\n\nActing Commissioner C\nOffice of the Commissioner \xe2\x80\x93 Attn: Acting Chief of Staff C\nDeputy Commissioner for Operations Support OS\nChief Counsel CC\nNational Taxpayer Advocate TA\nDirector, Office of Legislative Affairs CL:LA\nDirector, Office of Program Evaluation and Risk Analysis RAS:O\nOffice of Internal Control OS:CFO:CPIC:IC\nAudit Liaisons: Chief Information Officer OS:CIO\n\n\n\n\n                                                                       Page 20\n\x0c                      Efforts Have Been Made, but Manager and Employee\n                   Noncompliance With Security Policies and Procedures Puts\n                           Personally Identifiable Information at Risk\n\n\n\n                                                                                  Appendix IV\n\n              List of Security-Related Audit Reports\n\nThis report refers to the following security-related audit reports issued during Fiscal\nYears 2003 \xe2\x80\x93 2007. The prior reports are listed in order of appearance in this report.\n\xe2\x80\xa2   The Internal Revenue Service Is Not Adequately Protecting Taxpayer Data on Laptop\n    Computers and Other Portable Electronic Media Devices (Reference Number 2007-20-048,\n    dated March 23, 2007).\n\xe2\x80\xa2   Employees Continue to Be Susceptible to Social Engineering Attempts That Could Be Used\n    by Hackers (Reference Number 2007-20-107, dated July 20, 2007).\n\xe2\x80\xa2   Inappropriate Use of Email by Employees and System Configuration Management\n    Weaknesses Are Creating Security Risks (Reference Number 2006-20-110, dated\n    July 31, 2006).\n\xe2\x80\xa2   Managers and System Administrators Need to Limit Employees\xe2\x80\x99 Access to Computer Systems\n    (Reference Number 2005-20-097, dated July 2005).\n\xe2\x80\xa2   Increased Managerial Attention Is Needed to Ensure Taxpayer Accounts Are Monitored to\n    Detect Unauthorized Employee Accesses (Reference Number 2006-20-111, dated\n    July 24, 2006).\n\xe2\x80\xa2   Internal Penetration Test of the Internal Revenue Service\xe2\x80\x99s Networked Computer Systems\n    (Reference Number 2005-20-144, dated September 2005).\n\xe2\x80\xa2   Penetration Test of Internal Revenue Service Computer Systems (Reference\n    Number 2004-20-073, dated April 2004).\n\xe2\x80\xa2   Penetration Test of Internal Revenue Service Computer Systems (Reference\n    Number 2003-20-082, dated March 2003).\n\xe2\x80\xa2   Security Controls Were Not Adequately Considered in the Development and Integration\n    Phases of Modernization Systems (Reference Number 2005-20-128, dated August 2005).\n\n\n\n\n                                                                                          Page 21\n\x0c        Efforts Have Been Made, but Manager and Employee\n     Noncompliance With Security Policies and Procedures Puts\n             Personally Identifiable Information at Risk\n\n\n\n                                                    Appendix V\n\nManagement\xe2\x80\x99s Response to the Draft Report\n\n\n\n\n                                                          Page 22\n\x0c   Efforts Have Been Made, but Manager and Employee\nNoncompliance With Security Policies and Procedures Puts\n        Personally Identifiable Information at Risk\n\n\n\n\n                                                     Page 23\n\x0c'